Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05NGNjLXhqeHItcHd2Zs4AA9WR

DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document

Impact

In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack.

This attack may only be initialized by a user who already has Submitter privileges in the repository. The submitter must upload the malicious HTML/XML/JavaScript file themselves. The attack itself would not occur until a visitor or logged-in user downloads the file or clicks on a download link shared by the attacker.

If your site is running the frontend and backend from separate domains, CORS and CSRF protection built into DSpace help to limit the impact of the attack.

If the repository is configured to only download HTML / XML / JavaScript Bitstreams using the Content-Disposition: attachment header, then the attack is no longer possible. See "Workarounds" below.

Patches

The fix is included in both 8.0 and 7.6.2. Please upgrade to one of these versions, or manually apply one of the "Workarounds" below.

If you are already running 7.6 or 7.6.1, then this vulnerability can be fixed via a configuration update in your dspace.cfg configuration file. See details in below.

Workarounds

DSpace sites running 7.6 or 7.6.1 can fix this issue by adding the following webui.content_disposition_format settings to their dspace.cfg (or local.cfg). These settings force all HTML, XML, RDF & JavaScript files to always be downloaded to a user's machine, blocking the attack. For more details see PR #9638

webui.content_disposition_format = text/html
webui.content_disposition_format = text/javascript
webui.content_disposition_format = text/xml
webui.content_disposition_format = rdf

These settings will take effect immediately. There is no need to restart Tomcat.

To verify the settings are working: upload an HTML or XML file to an in-progress submission. Attempt to download the file. The file should not open in your browser window. Instead, it should download to your local computer.

DSpace sites running 7.0 through 7.5 will need to either (CHOOSE ONE):

References

Discovered and reported by Muhammad Zeeshan (Xib3rR4dAr)

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-94cc-xjxr-pwvf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NGNjLXhqeHItcHd2Zs4AA9WR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 5 months ago
Updated: 5 months ago


CVSS Score: 2.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

Identifiers: GHSA-94cc-xjxr-pwvf, CVE-2024-38364
References: Repository: https://github.com/DSpace/DSpace
Blast Radius: 3.9

Affected Packages

maven:org.dspace:dspace-server-webapp
Dependent packages: 2
Dependent repositories: 32
Downloads:
Affected Version Ranges: >= 7.0, < 7.6.2
Fixed in: 7.6.2
All affected versions: 7.1.1, 7.2.1, 7.6.1
All unaffected versions: 7.6.2